2

I have a problem where my unix systems are being sent out to all corners of the world where they are uploading data to a database. What I am finding is people dont know about Firewalls/Port forwarding to allow me ssh access. Is there any software for unix that allows me to connect without needing the ports forwarded. I know such software exists for windows. Logmein.com does exactly what I need but is windows/mac only. Any help would be much appriciated

DaveB
  • 25
  • 4

1 Answers1

4

Just have your remote systems create ssh connections back to a central "management" server, using the -R reverse tunnel. That way you'll be able to ssh to your remote systems through the tunnel they've created.

Use autossh for this, and it'll automatically monitor the state of the tunnels and will re-start them if necessary.

From the command line of your remote systems, the ssh command to do this would look something like:

$ ssh user@management.example.com -R 2222:localhost:22

Then from the management server, you'd be able to do the following to ssh into the remote servers:

$ ssh user@localhost -p2222

Obviously, you'd need each remote system to specify a different remote port for the tunnel. Needless to say, keep good records of which port each remote system is using so they don't try and stop on each other.

EEAA
  • 108,414
  • 18
  • 172
  • 242
  • 1
    Note however that if the remote site's firewall doesn't allow arbitrary outbound connections (or if they block outbound SSH specifically) this won't work. You will still have to educate some percentage of your users... – voretaq7 Sep 26 '11 at 16:30
  • The VPN to home idea is good, though I prefer to use OpenVPN instead of SSH as my VPN. The advantage being that I can easily configure OpenVPN to try many different ports, and it can even be configured to work through a proxy. – Zoredache Sep 26 '11 at 19:22
  • @Zoredache Good point. OpenVPN would be an ideal solution, if a bit more involved than setting up automated SSH tunnels. Many software appliance vendors use SSH for this purpose, which is why it came to mind first. – EEAA Sep 26 '11 at 19:24
  • Many thanks. I think I'll try the OpenVPN as I have used it in the past. Again thanks! – DaveB Sep 27 '11 at 08:00